This is a simple alternative to django-rules. Its core difference is that it does not rely on models. Instead, it uses a registry which can be modified at runtime.
One of its goals is to enable developers of external apps to make rules, depend on it, while allowing a project to override rules.
# Everybody can read a blog post (for now!): rules_light.registry['blog.post.read'] = True # Require authentication to create a blog post, using a shortcut: rules_light.registry['blog.post.create'] = rules_light.is_authenticated # But others shouldn't mess with my posts ! def is_staff_or_mine(user, rule, obj): return user.is_staff or obj.author == user rules_light.registry['blog.post.update'] = is_staff_or_mine rules_light.registry['blog.post.delete'] = is_staff_or_mine
@rules_light.class_decorator class PostDetailView(generic.DetailView): model = Post @rules_light.class_decorator class PostCreateView(generic.CreateView): model = Post @rules_light.class_decorator class PostUpdateView(generic.UpdateView): model = Post @rules_light.class_decorator class PostDeleteView(generic.DeleteView): model = Post
You might want to read the tutorial for more.
What's the catch ?
The catch is that this approach does not offer any feature to get secure querysets.
This means you have to:
- think about security when making querysets,
- override eventual external app ListViews,
- Python 2.7+ (Python 3 supported)
- Django 1.8+
- Install module:
pip install django-rules-light,
- Add to
- Add in
settings.MIDDLEWAREfor Django 1.10+):
You might want to read the tutorial.
There is also a lot of documentation, from the core to the tools, including pointers to debug, log and test your security.
To ask questions or just get informed about package updates, you could subscribe to the mailing list.